Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

A joint Technical Alert, TA17–293A, describing the activities of a Russian APT may contain signatures and rules likely to trigger false positives in some security systems.

A joint Technical Alert, TA17–293A, released over the weekend by the FBI and Department of Homeland Security describing the activities of a Russian APT may contain signatures and rules likely to trigger false positives in some security systems.

The alert, made available Saturday morning, dissects the activity of the Dragonfly APT, also known as Energetic Bear, Crouching Yeti and a host of other nicknames. The group targets energy sector and other critical utilities including nuclear, as well as government agencies and manufacturing.

DHS goes into great detail about the group’s activities, how it infiltrates organizations and what it’s after. It also provides a laundry list of network- and host-based signatures, as well as a YARA ruleset for the malware used by this group.

YARA expert Florian Roth warned within hours of the release that some of the IOCs and YARA rules were flawed and could cause a wave of unnecessary alerts for admins.

Beware of false positives – there are 2 signed PsExec hashes in the IOCs & the YARA rules have unstable conditions AND/OR // I'll try to fix

This situation harkens back to the Grizzly Steppe report of last December which connected the Russian-speaking APT Sofacy, or Fancy Bear, to attacks against a number of 2016 election-related targets.

That report too was criticized, and admins were advised by a number of security companies not to use the indicators because of the potential for false positives. Some of the indicators in the December report associated with Sofacy included rules for Yahoo email, for example, which some groups use as a means for command and control communication.

This week’s report, Roth points out, contains a few similar issues, most notably around PsExec, a well-known Windows sysinternals utility. Roth said there were two signed hashes for PsExec among the IOCs and YARA rules that would trigger false positives.

“This is no problem, as long as a human reads and pre-qualifies the IOCs before bringing them into production,” Roth wrote in an analysis published on Medium. “The two listed versions of PsExec could be an indicator of compromise if an organisation forbids the use of PsExec or can be certain that the listed versions are not used by the system administrators (both is rather unlikely).”

“We do not recommend the usage of the original rules in a production environment, because they will result in false positives,” said Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team. “Instead, we recommend Florian’s rules, which are of much higher quality, after his polishing.”

The joint technical alert meanwhile warns that the U.S. government is aware of victims in the targeted industries. It describes the stages of these respective attacks, characterized by the compromise of smaller, less-protected networks and lateral movement toward more high-value networks within energy in particular.

“Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign,” the alert said.

The alert said that since May, victims in these industries have been targeted and some compromised. The goal, the alert said, is most often espionage. Groups targeting these industries are hoping to learn more about these networks and industrial processes for either financial gain or to disrupt them in the event of a conflict.

“This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks,” the alert said. “The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks.”

The alert points out that the APT uses spear phishing and watering hole attacks to compromise victims’ machines. The group also has a number of endpoint and ICS exploits at its disposal, and is intent on gathering credentials that can be used in further attacks.

The use of staging targets, most in the supply chain, extends a growing trend of these types of attacks that peaked earlier this year with the use of Ukrainian software MeDoc to spread the NotPetya wiper malware.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.